# =============================================== # 🛡️ Complete UFW Firewall Cheatsheet for Linux (Fedora, Ubuntu, Debian) – Secure Your System Easily # =============================================== # UFW (Uncomplicated Firewall) is a frontend for iptables. # This guide covers installation, configuration, and common tasks. # ----------------------------------------------- # 🔧 Install & Manage UFW # ----------------------------------------------- # Install UFW (Fedora / RHEL / CentOS) sudo dnf install ufw -y # For Debian / Ubuntu: # sudo apt install ufw -y # Enable UFW service at startup sudo systemctl enable ufw or sudo systemctl enable ufw --now # Start / Stop / Restart UFW sudo ufw enable sudo ufw disable sudo systemctl start ufw sudo systemctl stop ufw sudo systemctl restart ufw # Check current UFW status sudo ufw status verbose # Show detailed firewall rules sudo ufw show raw # ----------------------------------------------- # ⚙️ Default Policies & Configuration # ----------------------------------------------- # Reset all rules to default sudo ufw reset # or forcefully: sudo ufw --force reset # Default deny all incoming, allow outgoing sudo ufw default deny incoming sudo ufw default allow outgoing # For a hardened setup: sudo ufw default deny incoming sudo ufw default deny outgoing # Allow only necessary outgoing traffic sudo ufw allow out 20,21,22,80,443,123,53 # Check or edit UFW config file sudo nano /etc/default/ufw # Common contents: # DEFAULT_INPUT_POLICY="DROP" # DEFAULT_OUTPUT_POLICY="DROP" # ----------------------------------------------- # ✅ Basic Rules # ----------------------------------------------- # Allow essential services sudo ufw allow ssh sudo ufw allow http sudo ufw allow https # Allow a specific port sudo ufw allow 8080/tcp # Allow access from a specific IP sudo ufw allow from 192.168.1.6 to any port 22 # Deny SSH from everyone else sudo ufw deny 22 # Insert rule at top of rule list sudo ufw insert 1 allow from 192.168.1.6 to any port 22 # ----------------------------------------------- # 🧱 Example Rule Conflict & Ordering # ----------------------------------------------- # Check rule numbers sudo ufw status numbered # Example output: # [ 1] 22 DENY IN Anywhere # [ 2] 22 ALLOW IN 192.168.1.6 # Fix incorrect rule order: sudo ufw delete 1 # delete the deny-all rule sudo ufw deny ssh # re-add deny below allow # Correct order will be: # [ 1] 22 ALLOW IN 192.168.1.6 # [ 2] 22 DENY IN Anywhere # ----------------------------------------------- # 🚫 Block Pings (ICMP Echo) # ----------------------------------------------- # Edit UFW before.rules file sudo nano /etc/ufw/before.rules # Add this line after all DROP lines (around line 31): -A ufw-before-input -p icmp --icmp-type echo-request -j DROP # Reload UFW to apply changes sudo ufw reload # ----------------------------------------------- # 🔍 UFW Application Profiles # ----------------------------------------------- # List available profiles sudo ufw app list # Show details about a specific app sudo ufw app info "OpenSSH" # Enable an app profile sudo ufw allow "OpenSSH" # ----------------------------------------------- # 📦 Advanced: Rate Limiting & Logging # ----------------------------------------------- # Protect SSH from brute-force attacks sudo ufw limit ssh # Enable logging (low, medium, high, full) sudo ufw logging on sudo ufw logging medium # Disable logging sudo ufw logging off # View UFW logs sudo less /var/log/ufw.log # ----------------------------------------------- # 🌐 Block / Allow Specific IPs & Networks # ----------------------------------------------- # Deny all connections from a specific IP sudo ufw deny from 203.0.113.5 # Allow entire subnet sudo ufw allow from 192.168.1.0/24 # Deny subnet sudo ufw deny from 10.0.0.0/8 # Allow specific port range sudo ufw allow 6000:6010/tcp # ----------------------------------------------- # 🧩 IPv6 Configuration # ----------------------------------------------- # Enable IPv6 support sudo nano /etc/default/ufw # Set: IPV6=yes # Reload UFW after enabling IPv6 sudo ufw reload # ----------------------------------------------- # 🧰 Troubleshooting & Diagnostics # ----------------------------------------------- # Check UFW version ufw version # Reload UFW rules sudo ufw reload # Check if UFW service is active systemctl status ufw # Show all current iptables rules applied by UFW sudo iptables -L sudo ip6tables -L # ----------------------------------------------- # 🔐 Best Practices # ----------------------------------------------- # 1. Deny all incoming connections by default. # 2. Allow only necessary ports (SSH, HTTP/HTTPS, DNS, NTP). # 3. Use rate limiting for SSH. # 4. Disable ping (optional, for stealth). # 5. Log dropped packets for auditing. # 6. Review rules regularly with `ufw status numbered`. # ----------------------------------------------- # 🌍 Common Ports Reference # ----------------------------------------------- # Port | Protocol | Purpose # -----|-----------|--------------------------------- # 20–21 | TCP | FTP (file transfer) # 22 | TCP | SSH (remote access) # 25 | TCP | SMTP (mail) # 53 | TCP/UDP | DNS # 67–68 | UDP | DHCP # 80 | TCP | HTTP (web) # 123 | UDP | NTP (time sync) # 443 | TCP | HTTPS (secure web) # 3306 | TCP | MySQL # 5432 | TCP | PostgreSQL # 8080 | TCP | Alt HTTP # =============================================== # ⚠️ Special Case Example: Restrict SSH Access # =============================================== # Goal: # Block all SSH requests except from one IP (192.168.1.6). # Problem: # The order of rules in UFW matters. # UFW checks rules from top to bottom and stops at the first match. # Example of incorrect rule order: sudo ufw status numbered # Output: # [ 1] 224.0.0.251 mDNS ALLOW IN Anywhere # [ 2] 22 DENY IN Anywhere # [ 3] 80 ALLOW IN Anywhere # [ 4] 443 ALLOW IN Anywhere # [ 5] 22 ALLOW IN 192.168.1.6 # Here, the packet from 192.168.1.6 matches rule [2] (DENY) before reaching [5]. # Therefore, access is blocked even for 192.168.1.6. # ✅ Correct fix: sudo ufw delete 2 sudo ufw deny ssh # After correction, the rule order should be: sudo ufw status numbered # [ 1] 224.0.0.251 mDNS ALLOW IN Anywhere # [ 2] 80 ALLOW IN Anywhere # [ 3] 443 ALLOW IN Anywhere # [ 4] 22 ALLOW IN 192.168.1.6 # [ 5] 22 DENY IN Anywhere # [ 6] 22 (v6) DENY IN Anywhere (v6) # Now: # - Packets from 192.168.1.6 match rule [4] (ALLOW) first and are accepted. # - All other SSH attempts match rule [5] (DENY) and are dropped. # For quick setup: sudo ufw insert 1 allow from 192.168.1.6 to any port 22 sudo ufw deny ssh sudo ufw reload # =============================================== # ✅ End of UFW Cheatsheet # ===============================================